Problem solve Get help with specific problems with your technologies, process and projects.

Three resources for delegating rights

How would you go about implementing security based on the principle of least privilege for a helpdesk staff in an eight domain forest? I have granted and denied rights over certain OUs through delegation or security settings. Those that are on the helpdesk also maintain user shares, backup operations, enterprise AV, etc which falls over into file and data security. I would rather not become too granular with this because of documenting and reporting on the configuration is difficult, unless you have a way to list all user security and privileges. I do not believe that my efforts have been in vain, but I would like to get your input so that I can verify and strengthen my work.
I'd start, like it appears you did, by determining what the helpdesk needs to do and then delegating these rights only over the OUs that they need them for. Three important resources that may help you are the best practices guides and appendices for delegating rights and the tool dsrevoke.exe. Dsrevoke.exe can be used to list (help you create reports) delegated rights in Active Directory and also to remove delegated rights.
This was last published in March 2005

Dig Deeper on User passwords and network permissions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.